External resolution timeouts

Jason L. Cook jason at siliconashes.net
Thu Aug 5 20:31:44 UTC 2004


Quoting Justin Park <ng_tao at yahoo.co.kr>:

> Is your name server behind a firewall, especially a CheckPoint FW-1?

Yes! It is behind a Checkpoint FW-1.


> BIND 9 tries first DNS query with ENDS0 option and also CD flag set in
> DNS message header.
>
> The DNS Query message with this setting would be dropped by the
> firewall, if such SmartDefence function is enabled on CheckPoint FW-1.
>
> ...
>
> If my guessing - your name server is behind a firewall and the
> firewall drops DNS query message - is right, the result of above
> command will also timed out..., instead of receiving DNS response with
> FORMERR.

Looks like this is exactly the case. Good guess!

What's the solution? Is there a way to configure BIND to send queries without
the ENDS0 option and CD flags, or do you think it is better to disable the
SmartDefence function in FW-1?



More information about the bind-users mailing list